Symptoms

You start the Group Policy Management Console (GPMC) on a computer that is running Windows Vista, Windows Server 2008, or later versions of the Windows operating system. You use the Group Policy Management Editor window to edit Group Policy settings. In this scenario, the Run only allowed Windows applications Group Policy setting displays no entries. However, the entries for this setting are displayed if you edit Group Policy settings on a server that is running Windows Server 2003 or on a computer that is running Windows XP.

Regardless of the operating system, the Group Policy settings are applied correctly.

Cause

This issue occurs only when the following conditions are true:

The network is a mixed environment of different operating systems including the following:

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Vista (RSAT)

Windows 7 (RSAT)

Windows 8.1

The network also has at least one computer that is running one of the following operating systems:

Windows Server 2003

Windows Server 2003 R2

Windows XP

You have previously edited the Group Policy setting on a computer that is running Windows XP or Windows Server 2003.

When these conditions are true, an issue prevents the Group Policy Management Editor window from correctly displaying the Run only allowed Windows applications setting on computers that are running Windows Vista, Windows Server 2008, or Windows 7.

Workaround

To work around these issues, you can use one of the following methods.

Method 1: Use AppLocker or Software Restriction policies instead of this legacy policy

Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 all support Software Restriction Policies (SAFER) which also control applications similiarly to AppLocker. Both AppLocker and SAFER replace the legacy policy setting "Run only allowed Windows applications", which was originally designed for Windows 95 system policies.

Method 2: Re-create the setting on Windows 7 or on Windows Server 2008

To work around this issue, you will have to re-create the Run only allowed Windows applications Group Policy setting by using the Group Policy Management Editor window on a server that is running Windows Server 2008 or on a Windows 7-based computer. After the setting has been re-created, do not edit Group Policy settings on a server that is running Windows Server 2003 or on a Windows XP-based computer.

Method 3: Edit the setting on Windows Server 2003 or on Windows XP

To work around this issue, only edit the Run only allowed Windows applications Group Policy setting on a server that is running Windows Server 2003 or on a Windows XP-based computer.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.